I think it means a lot more than just data residency. Without the safe harbor agreement you can no longer avoid EU privacy regulations by storing the data in the US.
This means that a lot of US companies are now exposed to EU privacy regulations where previously they only had to account for US privacy regulations.
The US privacy regulations are no longer considered compatible with the EU privacy regulations. That has much more impact than just data residency.
What I am curious about is how do we define "doing business in the EU"? If I am american, create a blog stored in the US, and allow users to register an account to comment on the blog, am I doing business in the EU if a EU person creates an account or are my visitors more akin to foreign tourists visiting a US shop in the US and therefore outside the reach of EU regulation?
In the financial sector, the extra-territoriality of US laws has been a problem for decades. Securities issued in the EU, by EU entities and marketed to EU investors end up having some language referring to which US regulation they fall under out of fear that a US person will end up buying it, and the US applying their laws and regulations.
> In the financial sector, the extra-territoriality of US laws has been a problem for decades.
This is a problem for the internet that has long been present but is increasing: multiple jurisdictions with global reach. Historically the First Amendment has shielded the internet from a lot of attempts to interfere with it, but there's no particular reason why only the US should claim that its laws apply globally. Why not Franco-German laws against Holocaust denial? English libel law? Saudi blasphemy law? Chinese censorship law?
Sooner or later someone's going to find themselves in a Kafkaesque situation where two global jurisdictions demand incompatible things.
> Sooner or later someone's going to find themselves in a Kafkaesque situation where two global jurisdictions demand incompatible things.
That's exactly what we're already talking about here: companies are unable to obey both EU rules concerning privacy, and US laws concerning law enforcement access to data.
And that's basically why borders between internet jurisdictions are now being drawn up.
The sad thing is that Europe also has laws enabling law enforcement access to data, including (until recently) mandatory retention of certain data by ISPs. All this is about is mass surveillance without due process. All that would be required to fix it is interpreting the Fourth Amendment in the same way as Article 8, and abolishing the whole secret court infrastructure.
> The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
> Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
Microsoft was ordered to hand over an Irish citizen's emails stored outside of the US to US government officials in a drug case. The case is still in appeals.
In practical terms your blog would be outside the EU jurisdiction so no direct, effective, sanctions could be levied. However if you do take payments, for anything, from within the EU that is where they can hit you; by simply blocking European banks from making payments to you.
I'm not a bitcoin guy but this is a scenario where I can see the technology becoming popular/useful. They can theoretically block your service (like China firewall) but that's harder to pull off and sell to public.
For example it could let games circumvent online gambling laws.
> What I am curious about is how do we define "doing business in the EU"? If I am american, create a blog stored in the US, and allow users to register an account to comment on the blog, am I doing business in the EU if a EU person creates an account or are my visitors more akin to foreign tourists visiting a US shop in the US and therefore outside the reach of EU regulation?
De facto, it's when you take money from EU customers and/or have an official office in some EU country.
To wit, non-profit doesn't mean "doesn't take in money." IIRC, it means that the organization doesn't distribute surplus income (profit) to shareholders.
So, a non-profit that took monies from EU citizens I think would still possibly be affected, unless there's EU laws that make non-profits a different class of business subject do different laws.
There are non-profits that make millions of dollars in positive cash flow. All that term means (At least in the US) is that it doesn't ever pay dividends to shareholders.
I'll be intentionally vague because I don't want to stray too far afield but there are some large organization that make a lot of money but are classified as non-profit. They can pay excess revenue as bonuses to directors and executives.
Note that I said "de facto", not "de jure". Nobody would bother suing a non profit that doesn't have EU offices unless you were very large and/or very prominent and/or doing something really nefarious about the data you have. And even then, suing an US company with no EU standing in front of an EU court from an EU citizen complaint is far from easy.
The same reason that if, say, Texas introduce a law that says everyone commenting on a texan website needs to be polite and I post a comment with some name calling, suing me as someone not from Texas nor the US would not be very doable, even though I technically infringe on that law.
This is where I think Business Insider is ultimately "wrong", yet it keeps stressing in all related articles how this will create huge bureaucracy.
From what I see in the ruling, it keeps stating "under the directive" (Data Protection Directive).
The current Directive, does indeed give national governments the right to decide how it's implemented. However, the new Directive (or regulation actually, meant to pass this year) will unify the directive for all countries. So I believe this "bureaucracy" issue, at least in regards to having to follow 27 different laws, will not be an issue anymore.
Even the current directive likely doesn't require satisfying all nations separately; since the various schemes are supposed to be compatible (i.e. conceptually safe harbor, though it's not called that, does apply within the EU), if a business hosted its data in one country and served others from there, they'd likely be safe.
There might be some bureaucracy to ensure that you really count as being hosted there (e.g. possibly ensuring that the parent company cannot access said data - which would be problematic for some companies), but AFAIK (IANAL) there's no legal distinction between EU and non-EU companies in this kind of rule.
EU banks also have special rules for US persons. There are special courses on how to properly determine whether someone counts as US person or not. Nobody cares about other countries.
Isn't the US the only country that taxes the foreign income of its citizens, which would probably require that the banks have some paperwork particular to US citizens with accounts?
One of my Dutch banks, a small investment bank, kicked me out because I am on a temp visa in the USA. This means I have to pay taxes here and therefore need to report my Dutch bank accounts with the IRS. They told me the US penalties for not reporting 100 % correctly on my money with them were so outrageous that they preferred to boot me.
U.S. residents, including temporary residents, are considered "U.S. persons" by the IRS and have to report everything. Amusingly this also applies to holders of U.S. Green Cards who aren't actually resident in the U.S.
Canadians working in the U.S. have had fun with IRS because a type of Canadian registered (tax-advantaged) savings account is not recognized by the IRS as a registered savings account but rather a "passive foreign investment company" and IRS loves to make people fill out lots of paperwork. This is apparently because IRS rules haven't been updated in the 10 years since the account type has been created.
Yes. If you're a US person or a US citizen living abroad, you pay income tax in all of your income wherever it is earned. And even most states claim this too. If you live in Colorado and travel one time to earn a consulting fee in New York you must pay New York state income tax on the money earned in New York, and claim it as a credit with Colorado. That means filing IRS forms, Colorado income tax forms, and New York income tax forms.
It's such a bureaucratic clusterfuck for a small business or consultant.
There is this problem in multiple countries I believe.
From what I understand, the US asks you to report what you earn outside of the US but also what you paid as taxes. If the foreign country has a tax treaty with the US you would only pay the difference (in case the US taxes are higher than the foreign).
It might not be the only country, but such taxation practice is definitely not the norm.
Unfortunately, there's little chance of normalizing the laws with international custom, since I can already see the attack ads about tax breaks for the wealthy.
Similar to the Cookie banner, you'll probably have to indicate to your subscribers that their data will be resident outside the EU and will not be subject to the same data protection. Subscriber proceeding will indicate agreement with that.
No, the data protection directives are not something you can opt out of, even if you nicely ask your users with a banner.
Note that the original point of the cookie banner law was not to ban cookies, but to inform users about it and allow users to avoid websites storing information about them. That consequence of that law is terrible and we all know that with the banners everywhere, but at no point was it "cookie are forbidden, but you can bypass it with user approval", it was "cookie are allowed but require approval".
Storing EU citizen data without respecting the data privacy directive is forbidden, period.
Actually, the fundamental rule of data protection legislation is that an organisation can store data on its subscribers and can not except in limited legally prescribed instances (e.g. lawful intercept, insurance fraud) share it with another organisation.
The issue at the core of the Schrems case is that Facebook for example is not bound to respect this, or any other fundaments of EU data protection law.
However, if you register with a website that is clearly and overtly outside your data protection jurisdiction then it is "you" who is freely providing that data. Just as you might give personal information over a transatlantic phone call.
The EU has no jurisdiction where the company is not in the EU, and cannot prevent an individual from sending their private information outside the jurisdiction if they want to.
But various of these multinationals such as Facebook are in the EU for various operational reasons and as such the EU does have jurisdiction over them.
Perhaps more relevant to the data retention laws, would be a site sharing passport numbers, names and addresses of EU citizens, perhaps collected at stays at motels/hotels across the US? The site might host them for free - but keeping/sharing that data without consent wouldn't be allowed under EU law. The particular example would probably also be illegal according one or more US laws (state or federal) -- but I think it is still more interesting than the rather silly things people get hung up on?
If it's a US organisation (and not a multinational like FB), with data collected in the US, the Data Protection Directive does not apply. The fact it's merely EU citizens is irrelevant.
> The NSA will not stop gathering data on EU citizens
This is precisely the reason for the ruling. US policy will not guarantee that NSA won't snoop on EU citizens, therefore "safe harbour" is null. You're either respecting the other jurisdictions or you're not.
The issue here is not that the "law failed to do what it promised" it's that the "law was not implemented as promised". It can still fail even with the right implementation but at least now such practices facilitating such failures are now understood by everybody to be illegal. It is not "Okay" any more.
As you probably know, you can't comment like this on HN and we ban accounts that do it repeatedly. Please post civilly and substantively or not at all.
> Without the safe harbor agreement you can no longer avoid EU privacy regulations by storing the data in the US.
Maybe I'm missing something here.
My understanding is that the Safe Harbour agreement wasn't a mechanism for US companies to avoid EU data protection regulations... it was a certification that they did comply with EU data protection (particularly in situations where that data was transmitted outside the EU).
Now it's gone, EU customer data held by US companies will be governed by national data protection laws instead, so may end up having to be stored within the EU.
> The US privacy regulations are no longer considered compatible with the EU privacy regulations
I don't think they ever were, which is why the Safe Harbour needed to exist in the first place.
No, you are more or less right. The general rule is that personal data may only be transferred to organizations in third countries such as the US if they comply with the EU rules on data protection. See chapter IV of the data protection directive: http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:319...
In order to avoid that each EU member state would have to approve Google, Microsoft etc. one by one, the safe harbour framework was set up to let US companies self certify that they complied with the rules:
"In order to bridge these differences and provide a streamlined and cost-effective means for U.S. organizations to satisfy the Directive’s “adequacy” requirement, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU in 2000, is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws. Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides "adequate" privacy protection, as defined by the Directive."
That was obviously a broken system, partially because the certified companies didn't live up to the EU standards, partially because the US government violated the rules systematically through CIA, NSA etc.
The fault here is really European as much as American. By relying on the wolf to guard the sheep we very much had it coming.
US privacy regulations where not considered compatible with EU ones before the ruling either.
The agreement was that US companies sign a list with the US Dept. of Commerce that they considered themselves in compliance with EU regulations when handling EU citizen data and that would give legal immunity to them and their subsidiaries in the EU.
This ruling means that EU countries are now allowed to check if they are lying or not.
The end of the article makes it sound like just adding a clause to the terms & conditions saying the user agrees to his data being stored in the US would be enough to bypass this. They just can't assume they have that right under safe harbour.
Hopefully they'll restrict that and require a higher threshold for consent than someone clicking "I agree" to 100 pages of dense legalese.
This means that a lot of US companies are now exposed to EU privacy regulations where previously they only had to account for US privacy regulations.
The US privacy regulations are no longer considered compatible with the EU privacy regulations. That has much more impact than just data residency.